ScannersMCP / Agent Security

MCP and Agent Security

Sentinel MCP and agent checks validate tool permissions, manifests, schemas, server instructions, network reachability, and live MCP discovery output.

Definition

Sentinel MCP and Agent Security is a validation workflow for autonomous AI systems. It checks whether tools, prompts, resources, permissions, network paths, and MCP transports match the trust boundary intended by the application owner.

Trust boundaries

Agents create risk when a model can convert text into actions. Sentinel focuses on the boundary between user input, model reasoning, tool call, server execution, and external systems.

Operational checklist

Tool allowlists and permission scopes
MCP server instructions and prompts
Resource exposure and authentication metadata
Network egress and internal service reachability

Schema hygiene

Tool schemas should be treated as security controls, not documentation. A vague schema gives the model too much freedom and makes injection easier to operationalize.

Operational checklist

Use narrow JSON schemas with required fields
Validate server-side before executing actions
Reject free-form command, path, and URL arguments unless allowlisted

Live MCP discovery

Static manifests are not enough when live servers expose additional tools, prompts, or resources. Run live scans against HTTP JSON-RPC or stdio servers before production.

Operational checklist

Compare manifest expectations to discovered runtime capabilities
Record auth metadata and readiness signals
Block unexpected tools before connecting production agents

OWASP Top 10 for Agentic Applications 2026

OWASP Top 10 for Agentic Applications 2026 covers risks that appear when AI systems plan, call tools, keep memory, exchange messages, and act across multiple steps. Sentinel MCP and agent checks provide evidence for the parts an application team can validate before release.

Operational checklist

ASI01 Agent Goal Hijack — attacker-controlled content redirects the agent's objective or action path
ASI02 Tool Misuse and Exploitation — legitimate tools are used in unsafe or unintended ways
ASI03 Identity and Privilege Abuse — agent credentials or inherited permissions exceed the intended scope
ASI04 Agentic Supply Chain Vulnerabilities — tools, MCP servers, prompts, or dependencies are poisoned or swapped
ASI05 Unexpected Code Execution — natural-language or configuration paths reach executable code
ASI06 Memory and Context Poisoning — stored memory, RAG data, or context changes future behavior
ASI07 Insecure Inter-Agent Communication — one agent trusts messages, tasks, or outputs from another without validation
ASI08 Cascading Failures — one unsafe action propagates across connected workflows
ASI09 Human-Agent Trust Exploitation — persuasive agent output leads humans to approve harmful action
ASI10 Rogue Agents — agents act beyond intended constraints or hide unsafe behavior

MCP tool poisoning and confused deputy

MCP tool poisoning appears when a malicious or compromised MCP server embeds hidden instructions inside tool description fields. When the model reads these descriptions, it may process attacker instructions as trusted context. The confused deputy problem appears when an agent acting with high privilege executes actions on behalf of lower-trust input without re-authorization.

Operational checklist

Tool description poisoning: hidden instructions embedded in JSON schema description fields
Confused deputy: agent acts for attacker-controlled content with higher privilege than the originating principal intended
Live capability review: compare discovered tools, prompts, resources, schemas, and transport metadata with the approved manifest
Transport and authentication hygiene: reject unauthenticated or overbroad MCP connections
Context isolation: keep retrieved content, tool descriptions, user text, and privileged instructions separated
Update management: pin trusted servers and review capability changes before production agents connect

Commands

sentinel agent ./agent/
sentinel mcp scan ./mcp-manifest.json
sentinel mcp scan --url http://localhost:3000/mcp
sentinel mcp scan --stdio-command npx my-mcp-server

Expected output

Output should carry rule ID, severity, surface, evidence, and release decision in a way other teams can understand.

server: local-mcp
tools_discovered: 12
findings:
  - MANIFEST-OVERBROAD-TOOLS HIGH file_write grants project root
  - NET-PRIVATE-RANGE-EGRESS MEDIUM tool can call internal network range

FAQ

What is excessive agency?

Excessive agency appears when the model has more tools, permissions, network access, or action authority than the use case requires.

What should the finding include?

Include the MCP server, tool name, schema or permission field, observed capability, owner, and retest command.

What is MCP tool poisoning?

Tool poisoning occurs when an attacker embeds hidden instructions inside MCP tool description fields. The model processes these as context during tool selection, allowing the attacker to redirect model behavior without changing the visible user interface. Defenses include schema validation, description allowlisting, server authentication, and live scanning before connecting production agents.

Eresus support

Turn the finding into an action your team can actually close.

If you need exploit evidence, prioritization, remediation direction, and retesting for MCP and Agent Security, Eresus can help scope the work with your team.

Start Security Test

PreviousTedarik Zinciri / AIBOM NextRuntime Gateway